Challenge:

Cyber attacks on small businesses rarely make the headlines, so it’s understandable that such organizations tend to have a false sense of security and an underestimation of their risks and vulnerabilities. Since smaller organizations are generally unaware that they are at serious risk and are not able or willing to invest in adequate security, they become easy targets for cyber criminals. Theft of banking credentials, credit card information or personally identifiable information can lead to identity theft, insurance fraud and possibly large and immediate financial loss. Compromise of business plans, marketing strategy, or intellectual property, which may go undetected, can have devastating competitive consequences. According to a recent study cited by the U.S. House Small Business Subcommittee on Health and Technology, nearly 20% of all cyber attacks hit small businesses with 250 or fewer employees. Roughly 60% of small businesses close within six months of a cyber attack. As with other areas of risk, businesses must take reasonable steps to cover IT related exposures.

Solution:

When MGAC was faced with a cyber attack, they turned to trusted partner eMentum for help assessing the scope of the incident and providing recommendations on improving its security posture. eMentum was responsible for helping MGAC assess the adequacy of its response to a cyber attack. eMentum quickly developed and produced a comprehensive analysis of the sequence of events and responses. This analysis provided a complete understanding of the chronology of the attack and response and served as the basis for critique of the incident response and planning for future responses protocols.

Beyond the incident assessment, eMentum also provided a series of documents including both technical and administrative policies and risk management guidelines addressing some key issues facing MGAC. eMentum used the SANS Institute’s 20 Critical Security Controls for Effective Cyber Defense as the baseline against which to assess MGAC’s security posture. eMentum prioritized and focused on a small number of actionable controls with high-payoff, reflecting a “must do first” philosophy. Since the controls address the most commonly exploited vulnerabilities and were vetted by a very broad community of government and industry experts they served as the basis for immediate high-value actions.

Business Impact:

Based on their analysis of MGAC’s risk exposure, eMentum provided a “Top 10” list of tactical (achievable with current resources in the short term) and strategic (requiring formal planning for future action) recommendations. By the end of Phase One, eMentum was able to provide MGAC with a better understanding of the risks facing it as a small-to-midsize business and generated a series of tailored documents to help reduce their cyber risks and develop a corporate risk management program. eMentum also developed detailed position descriptions to allow MGAC to put the right people in place to institutionalize its new understanding of how to conduct business securely. Through governance, risk management and compliance, eMentum was able to reduce operational risk and improve business resilience at MGAC.

eMentum is a woman-owned management and information technology consultancy. We deliver strategy, management, and security solutions that leverage our clients’ strengths, minimize their risks, and meet their goals.